About a year ago my wife got a phone call from a stranger claiming to believe he had gone to high school with her, but he wasn't really sure. After a whole song and dance he finally said, nonchalantly, "Well, gee, what was your mother's maiden name?" Since her mother's maiden name was not, "Fuck you, asshole", I gathered from those words that she had figured out his scam. Who knows who he was. We immediatley changed all maiden-name passwords to something more obscure and less socially-engineerable. Steven ______________________________________________________ | | | HORSE HORSE LION LION, A Consulting Cooperative | | "Information into Culture" | | | | Steven Hodas/Catherine Holland, Principals | | | | hhll@u.washington.edu VOICE/FAX 206.285.5975 | |______________________________________________________| On Mon, 1 Nov 1993, Arthur Chandler wrote:
At least three places/organizations I do business with ask for this bit of info as a "security check." The idea being, I think that you mother's maiden name is something that only those intimately familiar with your family would know, and therefore is an easy, universally applicable kind of "password" to be used before handing out sensitive info. But I've always wondered just how secure this "password" is. Recalling Eric Hughes statement that "cryptography is all economics," and realizing that someone with an unlimited budget could probably scrounge that info after some effort -- just how much effort would it take? And how secure is "mom's maiden name" as a password for obtaining sensitive information over the phone?